apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sanitize paths before evaluating access to route

Browse Source
release-11.6.0+security-01
Andres Martinez Gotor 3 months ago committed by Kevin Minehart
parent 78ca78f5df
commit 89963aca1f
2 changed files with 17 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      pkg/api/pluginproxy/ds_proxy.go
  2. 8
      pkg/api/pluginproxy/ds_proxy_test.go

10
pkg/api/pluginproxy/ds_proxy.go
Unescape View File

@ -302,7 +302,15 @@ func (proxy *DataSourceProxy) validateRequest() error {
} }
// route match // route match
if !strings.HasPrefix(proxy.proxyPath, route.Path) { r1, err := util.CleanRelativePath(proxy.proxyPath)
if err != nil {
return err
}
r2, err := util.CleanRelativePath(route.Path)
if err != nil {
return err
}
if !strings.HasPrefix(r1, r2) {
continue continue
} }

8
pkg/api/pluginproxy/ds_proxy_test.go
Unescape View File

@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
err = proxy.validateRequest() err = proxy.validateRequest()
require.NoError(t, err) require.NoError(t, err)
}) })
t.Run("path with slashes and user is editor", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
}) })
t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) { t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {

Write Preview
Loading…
Cancel
Save